<!DOCTYPE html>
<html lang="en-us">
  <head>

    <meta http-equiv="content-type" content="text/html; charset=utf-8">
    
<meta charset="UTF-8">
<title>Auditing security settings | Elasticsearch Guide [7.7] | Elastic</title>
<link rel="home" href="index.html" title="Elasticsearch Guide [7.7]">
<link rel="up" href="settings.html" title="Configuring Elasticsearch">
<link rel="prev" href="secure-settings.html" title="Secure settings">
<link rel="next" href="circuit-breaker.html" title="Circuit breaker settings">
<meta name="DC.type" content="Learn/Docs/Elasticsearch/Reference/7.7">
<meta name="DC.subject" content="Elasticsearch">
<meta name="DC.identifier" content="7.7">
<meta name="robots" content="noindex,nofollow">
    <meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta name="viewport" content="width=device-width, initial-scale=1">
    <script src="https://cdn.optimizely.com/js/18132920325.js"></script>
    <link rel="apple-touch-icon" sizes="57x57" href="/apple-icon-57x57.png">
    <link rel="apple-touch-icon" sizes="60x60" href="/apple-icon-60x60.png">
    <link rel="apple-touch-icon" sizes="72x72" href="/apple-icon-72x72.png">
    <link rel="apple-touch-icon" sizes="76x76" href="/apple-icon-76x76.png">
    <link rel="apple-touch-icon" sizes="114x114" href="/apple-icon-114x114.png">
    <link rel="apple-touch-icon" sizes="120x120" href="/apple-icon-120x120.png">
    <link rel="apple-touch-icon" sizes="144x144" href="/apple-icon-144x144.png">
    <link rel="apple-touch-icon" sizes="152x152" href="/apple-icon-152x152.png">
    <link rel="apple-touch-icon" sizes="180x180" href="/apple-icon-180x180.png">
    <link rel="icon" type="image/png" href="/favicon-32x32.png" sizes="32x32">
    <link rel="icon" type="image/png" href="/android-chrome-192x192.png" sizes="192x192">
    <link rel="icon" type="image/png" href="/favicon-96x96.png" sizes="96x96">
    <link rel="icon" type="image/png" href="/favicon-16x16.png" sizes="16x16">
    <link rel="manifest" href="/manifest.json">
    <meta name="apple-mobile-web-app-title" content="Elastic">
    <meta name="application-name" content="Elastic">
    <meta name="msapplication-TileColor" content="#ffffff">
    <meta name="msapplication-TileImage" content="/mstile-144x144.png">
    <meta name="theme-color" content="#ffffff">
    <meta name="naver-site-verification" content="936882c1853b701b3cef3721758d80535413dbfd">
    <meta name="yandex-verification" content="d8a47e95d0972434">
    <meta name="localized" content="true">
    <meta name="st:robots" content="follow,index">
    <meta property="og:image" content="https://www.elastic.co/static/images/elastic-logo-200.png">
    <link rel="shortcut icon" href="/favicon.ico" type="image/x-icon">
    <link rel="icon" href="/favicon.ico" type="image/x-icon">
    <link rel="apple-touch-icon-precomposed" sizes="64x64" href="/favicon_64x64_16bit.png">
    <link rel="apple-touch-icon-precomposed" sizes="32x32" href="/favicon_32x32.png">
    <link rel="apple-touch-icon-precomposed" sizes="16x16" href="/favicon_16x16.png">
    <!-- Give IE8 a fighting chance -->
    <!--[if lt IE 9]>
    <script src="https://oss.maxcdn.com/html5shiv/3.7.2/html5shiv.min.js"></script>
    <script src="https://oss.maxcdn.com/respond/1.4.2/respond.min.js"></script>
    <![endif]-->
    <link rel="stylesheet" type="text/css" href="/guide/static/styles.css">
  </head>

  <!--© 2015-2021 Elasticsearch B.V. Copying, publishing and/or distributing without written permission is strictly prohibited.-->

  <body>
    <!-- Google Tag Manager -->
    <script>dataLayer = [];</script><noscript><iframe src="//www.googletagmanager.com/ns.html?id=GTM-58RLH5" height="0" width="0" style="display:none;visibility:hidden"></iframe></noscript>
    <script>(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start': new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0], j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src= '//www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f); })(window,document,'script','dataLayer','GTM-58RLH5');</script>
    <!-- End Google Tag Manager -->

    <!-- Global site tag (gtag.js) - Google Analytics -->
    <script async src="https://www.googletagmanager.com/gtag/js?id=UA-12395217-16"></script>
    <script>
      window.dataLayer = window.dataLayer || [];
      function gtag(){dataLayer.push(arguments);}
      gtag('js', new Date());
      gtag('config', 'UA-12395217-16');
    </script>

    <!--BEGIN QUALTRICS WEBSITE FEEDBACK SNIPPET-->
    <script type="text/javascript">
      (function(){var g=function(e,h,f,g){
      this.get=function(a){for(var a=a+"=",c=document.cookie.split(";"),b=0,e=c.length;b<e;b++){for(var d=c[b];" "==d.charAt(0);)d=d.substring(1,d.length);if(0==d.indexOf(a))return d.substring(a.length,d.length)}return null};
      this.set=function(a,c){var b="",b=new Date;b.setTime(b.getTime()+6048E5);b="; expires="+b.toGMTString();document.cookie=a+"="+c+b+"; path=/; "};
      this.check=function(){var a=this.get(f);if(a)a=a.split(":");else if(100!=e)"v"==h&&(e=Math.random()>=e/100?0:100),a=[h,e,0],this.set(f,a.join(":"));else return!0;var c=a[1];if(100==c)return!0;switch(a[0]){case "v":return!1;case "r":return c=a[2]%Math.floor(100/c),a[2]++,this.set(f,a.join(":")),!c}return!0};
      this.go=function(){if(this.check()){var a=document.createElement("script");a.type="text/javascript";a.src=g;document.body&&document.body.appendChild(a)}};
      this.start=function(){var a=this;window.addEventListener?window.addEventListener("load",function(){a.go()},!1):window.attachEvent&&window.attachEvent("onload",function(){a.go()})}};
      try{(new g(100,"r","QSI_S_ZN_emkP0oSe9Qrn7kF","https://znemkp0ose9qrn7kf-elastic.siteintercept.qualtrics.com/WRSiteInterceptEngine/?Q_ZID=ZN_emkP0oSe9Qrn7kF")).start()}catch(i){}})();
    </script><div id="ZN_emkP0oSe9Qrn7kF"><!--DO NOT REMOVE-CONTENTS PLACED HERE--></div>
    <!--END WEBSITE FEEDBACK SNIPPET-->

    <div id="elastic-nav" style="display:none;"></div>
    <script src="https://www.elastic.co/elastic-nav.js"></script>

    <!-- Subnav -->
    <div>
      <div>
        <div class="tertiary-nav d-none d-md-block">
          <div class="container">
            <div class="p-t-b-15 d-flex justify-content-between nav-container">
              <div class="breadcrum-wrapper"><span><a href="/guide/" style="font-size: 14px; font-weight: 600; color: #000;">Docs</a></span></div>
            </div>
          </div>
        </div>
      </div>
    </div>

    <div class="main-container">
      <section id="content">
        <div class="content-wrapper">

          <section id="guide" lang="en">
            <div class="container">
              <div class="row">
                <div class="col-xs-12 col-sm-8 col-md-8 guide-section">
                  <!-- start body -->
                  <div class="page_header">
<strong>IMPORTANT</strong>: No additional bug fixes or documentation updates
will be released for this version. For the latest information, see the
<a href="../current/index.html">current release documentation</a>.
</div>
<div id="content">
<div class="breadcrumbs">
<span class="breadcrumb-link"><a href="index.html">Elasticsearch Guide [7.7]</a></span>
»
<span class="breadcrumb-link"><a href="setup.html">Set up Elasticsearch</a></span>
»
<span class="breadcrumb-link"><a href="settings.html">Configuring Elasticsearch</a></span>
»
<span class="breadcrumb-node">Auditing security settings</span>
</div>
<div class="navheader">
<span class="prev">
<a href="secure-settings.html">« Secure settings</a>
</span>
<span class="next">
<a href="circuit-breaker.html">Circuit breaker settings »</a>
</span>
</div>
<div class="section xpack">
<div class="titlepage"><div><div>
<h2 class="title">
<a id="auditing-settings"></a>Auditing security settings<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/docs/reference/settings/audit-settings.asciidoc">edit</a><a class="xpack_tag" href="/subscriptions"></a>
</h2>
</div></div></div>

<p>You configure security auditing settings in the <code class="literal">elasticsearch.yml</code> configuration file
on each node in the cluster. For more information, see <a class="xref" href="enable-audit-logging.html" title="Enabling audit logging"><em>Enabling audit logging</em></a>.</p>
<div class="section">
<div class="titlepage"><div><div>
<h3 class="title">
<a id="general-audit-settings"></a>General Auditing Settings<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/docs/reference/settings/audit-settings.asciidoc">edit</a>
</h3>
</div></div></div>
<div class="variablelist">
<dl class="variablelist">
<dt>
<span class="term">
<code class="literal">xpack.security.audit.enabled</code>
</span>
</dt>
<dd>
Set to <code class="literal">true</code> to enable auditing on the node. The default value is <code class="literal">false</code>.
This puts the auditing events in a dedicated file named <code class="literal">&lt;clustername&gt;_audit.json</code>
on each node.
</dd>
</dl>
</div>
</div>

<div class="section">
<div class="titlepage"><div><div>
<h3 class="title">
<a id="event-audit-settings"></a>Audited Event Settings<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/docs/reference/settings/audit-settings.asciidoc">edit</a>
</h3>
</div></div></div>
<p>The events and some other information about what gets logged can be controlled
by using the following settings:</p>
<div class="variablelist">
<dl class="variablelist">
<dt>
<span class="term">
<code class="literal">xpack.security.audit.logfile.events.include</code>
</span>
</dt>
<dd>
Specifies which events to include in the auditing output. The default value is:
<code class="literal">access_denied, access_granted, anonymous_access_denied, authentication_failed,
connection_denied, tampered_request, run_as_denied, run_as_granted</code>.
</dd>
<dt>
<span class="term">
<code class="literal">xpack.security.audit.logfile.events.exclude</code>
</span>
</dt>
<dd>
Excludes the specified events from the output. By default, no events are
excluded.
</dd>
<dt>
<span class="term">
<code class="literal">xpack.security.audit.logfile.events.emit_request_body</code>
</span>
</dt>
<dd>
<p>
Specifies whether to include the request body from REST requests on certain
event types such as <code class="literal">authentication_failed</code>. The default value is <code class="literal">false</code>.
</p>
<div class="important admon">
<div class="icon"></div>
<div class="admon_content">
<p>No filtering is performed when auditing, so sensitive data may be
audited in plain text when including the request body in audit events.</p>
</div>
</div>
</dd>
</dl>
</div>
</div>

<div class="section">
<div class="titlepage"><div><div>
<h3 class="title">
<a id="node-audit-settings"></a>Local Node Info Settings<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/docs/reference/settings/audit-settings.asciidoc">edit</a>
</h3>
</div></div></div>
<div class="variablelist">
<dl class="variablelist">
<dt>
<span class="term">
<code class="literal">xpack.security.audit.logfile.emit_node_name</code>
</span>
</dt>
<dd>
Specifies whether to include the <a class="xref" href="node.name.html" title="node.name">node name</a> as a field in
each audit event. The default value is <code class="literal">false</code>.
</dd>
<dt>
<span class="term">
<code class="literal">xpack.security.audit.logfile.emit_node_host_address</code>
</span>
</dt>
<dd>
Specifies whether to include the node’s IP address as a field in each audit event.
The default value is <code class="literal">false</code>.
</dd>
<dt>
<span class="term">
<code class="literal">xpack.security.audit.logfile.emit_node_host_name</code>
</span>
</dt>
<dd>
Specifies whether to include the node’s host name as a field in each audit event.
The default value is <code class="literal">false</code>.
</dd>
<dt>
<span class="term">
<code class="literal">xpack.security.audit.logfile.emit_node_id</code>
</span>
</dt>
<dd>
Specifies whether to include the node id as a field in each audit event.
This is available for the new format only. That is to say, this information
does not exist in the <code class="literal">&lt;clustername&gt;_access.log</code> file.
Unlike <a class="xref" href="node.name.html" title="node.name">node name</a>, whose value might change if the administrator
changes the setting in the config file, the node id will persist across cluster
restarts and the administrator cannot change it.
The default value is <code class="literal">true</code>.
</dd>
</dl>
</div>
</div>

<div class="section">
<div class="titlepage"><div><div>
<h3 class="title">
<a id="audit-event-ignore-policies"></a>Audit Logfile Event Ignore Policies<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/docs/reference/settings/audit-settings.asciidoc">edit</a>
</h3>
</div></div></div>
<p>These settings affect the <a class="xref" href="audit-log-output.html#audit-log-ignore-policy" title="Logfile audit events ignore policies">ignore policies</a>
that enable fine-grained control over which audit events are printed to the log file.
All of the settings with the same policy name combine to form a single policy.
If an event matches all of the conditions for a specific policy, it is ignored
and not printed.</p>
<div class="variablelist">
<dl class="variablelist">
<dt>
<span class="term">
<code class="literal">xpack.security.audit.logfile.events.ignore_filters.&lt;policy_name&gt;.users</code>
</span>
</dt>
<dd>
A list of user names or wildcards. The specified policy will
not print audit events for users matching these values.
</dd>
<dt>
<span class="term">
<code class="literal">xpack.security.audit.logfile.events.ignore_filters.&lt;policy_name&gt;.realms</code>
</span>
</dt>
<dd>
A list of authentication realm names or wildcards. The specified policy will
not print audit events for users in these realms.
</dd>
<dt>
<span class="term">
<code class="literal">xpack.security.audit.logfile.events.ignore_filters.&lt;policy_name&gt;.roles</code>
</span>
</dt>
<dd>
A list of role names or wildcards. The specified policy will
not print audit events for users that have these roles. If the user has several
roles, some of which are <span class="strong strong"><strong>not</strong></span> covered by the policy, the policy will
<span class="strong strong"><strong>not</strong></span> cover this event.
</dd>
<dt>
<span class="term">
<code class="literal">xpack.security.audit.logfile.events.ignore_filters.&lt;policy_name&gt;.indices</code>
</span>
</dt>
<dd>
A list of index names or wildcards. The specified policy will
not print audit events when all the indices in the event match
these values. If the event concerns several indices, some of which are
<span class="strong strong"><strong>not</strong></span> covered by the policy, the policy will <span class="strong strong"><strong>not</strong></span> cover this event.
</dd>
</dl>
</div>
</div>

</div>
<div class="navfooter">
<span class="prev">
<a href="secure-settings.html">« Secure settings</a>
</span>
<span class="next">
<a href="circuit-breaker.html">Circuit breaker settings »</a>
</span>
</div>
</div>

                  <!-- end body -->
                </div>
                <div class="col-xs-12 col-sm-4 col-md-4" id="right_col">
                  <div id="rtpcontainer" style="display: block;">
                    <div class="mktg-promo">
                      <h3>Most Popular</h3>
                      <ul class="icons">
                        <li class="icon-elasticsearch-white"><a href="https://www.elastic.co/webinars/getting-started-elasticsearch?baymax=default&amp;elektra=docs&amp;storm=top-video">Get Started with Elasticsearch: Video</a></li>
                        <li class="icon-kibana-white"><a href="https://www.elastic.co/webinars/getting-started-kibana?baymax=default&amp;elektra=docs&amp;storm=top-video">Intro to Kibana: Video</a></li>
                        <li class="icon-logstash-white"><a href="https://www.elastic.co/webinars/introduction-elk-stack?baymax=default&amp;elektra=docs&amp;storm=top-video">ELK for Logs &amp; Metrics: Video</a></li>
                      </ul>
                    </div>
                  </div>
                </div>
              </div>
            </div>
          </section>

        </div>


<div id="elastic-footer"></div>
<script src="https://www.elastic.co/elastic-footer.js"></script>
<!-- Footer Section end-->

      </section>
    </div>

<script src="/guide/static/jquery.js"></script>
<script type="text/javascript" src="/guide/static/docs.js"></script>
<script type="text/javascript">
  window.initial_state = {}</script>
  </body>
</html>
